A couple months ago at WordCamp Chicago 2009, Matt Mullenweg had been asked by Dan Schulz on how to make WordPress more secure. Finally what he has said has been written in more detail at WordPress.org in the article How to Keep WordPress Secure.
From the getgo, I had known that the primary way was to keep your WordPress version up-to-date. As a small webhost with Host Solutions, I had seen time and time again hacked versions of WordPress and normal installations. I found that more hacked versions were easily being infiltrated by spammers and the resources used were much higher.
Of course, you could always adjust your .htacess file and “harden” your WordPress installation, but having an up-to-date version allows you to replace any bugs that were found in previous versions right away. I have also found that some users who have hacked their WordPress version so badly have a bit of a hard time tweaking their WordPress to try to upgrade their version.
I did this when I started out using b2. When I went to switchover to WordPress, I had a rough time and had to rely on a fresh Fantastico install of it instead. My version was not only so badly altered, but I was doing more harm to my server.
Like Matt Mullenweg said:
“Upgrading is a known quantity of work, and one that the WordPress community has tried its darndest to make as easy as possible with one-click upgrades. Fixing a hacked blog, on the other hand, is quite hard. Upgrading is taking your vitamins; fixing a hack is open heart surgery. (This is true of cost, as well.)”
If you use a hacked version, carefully follow the upgrade notations made to make sure you do not miss any important areas that could leave your website exposed. A lot of the upgrade notations can be found in the developer documents section of the WordPress Codex or even more specifically the WordPress Trac.
Is your WordPress up-to-date on its version? Do you have a manual install or an automatic install like Fantastico? If you have a hacked version of WordPress, have you ran into any problems?